Move management port implementation to new package

Move the existing implementaiton to a new package. It should be
functionally equivalent except:

* nft sets are configured as early as possible, the rest is configured
  upon Start (synchronously)
* moved management port routing table, rules, routes etc from gateway
  code to this package, configued upon Start (synchronously)

Signed-off-by: Jaime Caamaño Ruiz <[email protected]>

Author: jcaamano

go-controller/hack/test-go.sh

@@ -33,7 +33,7 @@ function testrun {
     if [[ ! -z "${RACE:-}" ]]; then
         args="-race "
     fi
-    if [[ "$USER" != root && " ${root_pkgs[@]} " =~ " $pkg " && -z "${DOCKER_TEST:-}" ]]; then
+    if [[ "$USER" != root && " ${root_pkgs[*]} " =~ " $pkg " && -z "${DOCKER_TEST:-}" ]]; then
         testfile=$(mktemp --tmpdir ovn-test.XXXXXXXX)
         echo "sudo required for ${pkg}, compiling test to ${testfile}"
         if [[ ! -z "${RACE:-}" ]]; then
@@ -55,7 +55,7 @@ function testrun {
     if [ ! -z "${COVERALLS:-}" ]; then
         args="${args} -test.coverprofile=${idx}.coverprofile "
     fi
-    if [[ " ${big_pkgs[@]} " =~ " $pkg " ]]; then
+    if [[ " ${big_pkgs[*]} " =~ " $pkg " ]]; then
         echo "Increasing timeout to 20m for package ${pkg}"
         args="${args} -test.timeout=20m"
     fi
@@ -72,7 +72,16 @@ function testrun {
 }
 
 # These packages requires root for network namespace manipulation in unit tests
-root_pkgs=("github.com/ovn-org/ovn-kubernetes/go-controller/pkg/controllermanager" "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node" "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/iptables" "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/rulemanager" "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/routemanager" "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/vrfmanager" "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/controllers/egressip")
+root_pkgs=(
+    "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/controllermanager"
+    "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node"
+    "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/controllers/egressip"
+    "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/iptables"
+    "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/managementport"
+    "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/routemanager"
+    "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/rulemanager"
+    "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/node/vrfmanager"
+)
 
 # These packages are big and require more than the 10m default to run the unit tests
 big_pkgs=("github.com/ovn-org/ovn-kubernetes/go-controller/pkg/ovn")

go-controller/pkg/node/gateway_init.go

@@ -592,7 +592,7 @@ func CleanupClusterNode(name string) error {
 	}
 
 	// Clean up legacy IPTables rules for management port
-	DelLegacyMgtPortIptRules()
+	managementport.DelLegacyMgtPortIptRules()
 
 	// Delete nftables rules
 	nodenft.CleanupNFTables()

go-controller/pkg/node/gateway_init_linux_test.go

@@ -116,6 +116,28 @@ func shareGatewayInterfaceTest(app *cli.App, testNS ns.NetNS,
 		)
 
 		fexec := ovntest.NewLooseCompareFakeExec()
+
+		// management port commands
+		mpPortName := types.K8sMgmtIntfName
+		mpPortRepName := types.K8sMgmtIntfName + "_0"
+		mpPortLegacyName := types.K8sPrefix + nodeName
+		fexec.AddFakeCmd(&ovntest.ExpectedCmd{
+			Cmd:    "ovs-vsctl --timeout=15 --no-headings --data bare --format csv --columns type,name find Interface name=" + mpPortName,
+			Output: "internal," + mpPortName,
+		})
+		fexec.AddFakeCmd(&ovntest.ExpectedCmd{
+			Cmd:    "ovs-vsctl --timeout=15 --no-headings --data bare --format csv --columns type,name find Interface name=" + mpPortRepName,
+			Output: "internal," + mpPortRepName,
+		})
+		fexec.AddFakeCmdsNoOutputNoError([]string{
+			"ovs-vsctl --timeout=15 -- --if-exists del-port br-int " + mpPortLegacyName + " -- --may-exist add-port br-int " + mpPortName + " -- set interface " + mpPortName + " mac=\"0a:58:0a:01:01:02\" type=internal mtu_request=" + mtu + " external-ids:iface-id=" + mpPortLegacyName,
+		})
+		fexec.AddFakeCmd(&ovntest.ExpectedCmd{
+			Cmd:    "sysctl -w net.ipv4.conf.ovn-k8s-mp0.forwarding=1",
+			Output: "net.ipv4.conf.ovn-k8s-mp0.forwarding = 1",
+		})
+
+		// gateway commands
 		fexec.AddFakeCmd(&ovntest.ExpectedCmd{
 			Cmd: "ovs-vsctl --timeout=15 port-to-br eth0",
 			Err: fmt.Errorf(""),
@@ -288,6 +310,14 @@ func shareGatewayInterfaceTest(app *cli.App, testNS ns.NetNS,
 		}()
 		err = testNS.Do(func(ns.NetNS) error {
 			defer GinkgoRecover()
+
+			// create dummy management interface
+			err := netlink.LinkAdd(&netlink.Dummy{
+				LinkAttrs: netlink.LinkAttrs{
+					Name: types.K8sMgmtIntfName,
+				},
+			})
+			Expect(err).NotTo(HaveOccurred())
 			// start management port
 			err = mp.Start(stop)
 			Expect(err).NotTo(HaveOccurred())
@@ -969,6 +999,27 @@ OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0`
 
 		fexec := ovntest.NewLooseCompareFakeExec()
 
+		// management port commands
+		mpPortName := types.K8sMgmtIntfName
+		mpPortRepName := types.K8sMgmtIntfName + "_0"
+		mpPortLegacyName := types.K8sPrefix + nodeName
+		fexec.AddFakeCmd(&ovntest.ExpectedCmd{
+			Cmd:    "ovs-vsctl --timeout=15 --no-headings --data bare --format csv --columns type,name find Interface name=" + mpPortName,
+			Output: "internal," + mpPortName,
+		})
+		fexec.AddFakeCmd(&ovntest.ExpectedCmd{
+			Cmd:    "ovs-vsctl --timeout=15 --no-headings --data bare --format csv --columns type,name find Interface name=" + mpPortRepName,
+			Output: "internal," + mpPortRepName,
+		})
+		fexec.AddFakeCmdsNoOutputNoError([]string{
+			"ovs-vsctl --timeout=15 -- --if-exists del-port br-int " + mpPortLegacyName + " -- --may-exist add-port br-int " + mpPortName + " -- set interface " + mpPortName + " mac=\"0a:58:0a:01:01:02\" type=internal mtu_request=" + mtu + " external-ids:iface-id=" + mpPortLegacyName,
+		})
+		fexec.AddFakeCmd(&ovntest.ExpectedCmd{
+			Cmd:    "sysctl -w net.ipv4.conf.ovn-k8s-mp0.forwarding=1",
+			Output: "net.ipv4.conf.ovn-k8s-mp0.forwarding = 1",
+		})
+
+		// gateway commands
 		fexec.AddFakeCmd(&ovntest.ExpectedCmd{
 			Cmd: "ovs-vsctl --timeout=15 port-to-br eth0",
 			Err: fmt.Errorf(""),
@@ -1173,6 +1224,14 @@ OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0`
 		}()
 		err = testNS.Do(func(ns.NetNS) error {
 			defer GinkgoRecover()
+
+			// create dummy management interface
+			err := netlink.LinkAdd(&netlink.Dummy{
+				LinkAttrs: netlink.LinkAttrs{
+					Name: types.K8sMgmtIntfName,
+				},
+			})
+			Expect(err).NotTo(HaveOccurred())
 			// start management port
 			err = mp.Start(stop)
 			Expect(err).NotTo(HaveOccurred())

go-controller/pkg/node/gateway_localnet_linux_test.go

@@ -299,7 +299,7 @@ var _ = Describe("Node Operations", func() {
 	})
 
 	Context("on startup", func() {
-		It("removes stale iptables/nftables rules while keeping remaining intact", func() {
+		It("removes stale iptables rules while keeping remaining intact", func() {
 			app.Action = func(*cli.Context) error {
 				// Depending on the order of informer event processing the initial
 				// Service might be "added" once or twice.  Take that into account.
@@ -353,10 +353,6 @@ var _ = Describe("Node Operations", func() {
 				err := f4.MatchState(expectedTables, nil)
 				Expect(err).NotTo(HaveOccurred())
 
-				expectedNFT := getBaseNFTRules(types.K8sMgmtIntfName) + "\nadd rule inet ovn-kubernetes mgmtport-snat blah blah blah\n"
-				err = nodenft.MatchNFTRules(expectedNFT, nft.Dump())
-				Expect(err).NotTo(HaveOccurred())
-
 				stopChan := make(chan struct{})
 				fakeClient := util.GetOVNClientset(&service).GetNodeClientset()
 				wf, err := factory.NewNodeWatchFactory(fakeClient, "node")
@@ -405,7 +401,7 @@ var _ = Describe("Node Operations", func() {
 				err = f4.MatchState(expectedTables, nil)
 				Expect(err).NotTo(HaveOccurred())
 
-				expectedNFT = getBaseNFTRules(types.K8sMgmtIntfName)
+				expectedNFT := getBaseNFTRules(types.K8sMgmtIntfName)
 				err = nodenft.MatchNFTRules(expectedNFT, nft.Dump())
 				Expect(err).NotTo(HaveOccurred())
 

go-controller/pkg/node/gateway_shared_intf.go

@@ -50,9 +50,6 @@ const (
 	ctMarkOVN = "0x1"
 	// ctMarkHost is the conntrack mark value for host traffic
 	ctMarkHost = "0x2"
-	// ovnkubeSvcViaMgmPortRT is the number of the custom routing table used to steer host->service
-	// traffic packets into OVN via ovn-k8s-mp0. Currently only used for ITP=local traffic.
-	ovnkubeSvcViaMgmPortRT = "7"
 	// ovnKubeNodeSNATMark is used to mark packets that need to be SNAT-ed to nodeIP for
 	// traffic originating from egressIP and egressService controlled pods towards other nodes in the cluster.
 	ovnKubeNodeSNATMark = "0x3f0"
@@ -2169,62 +2166,6 @@ func setBridgeOfPorts(bridge *bridgeConfiguration) error {
 	return nil
 }
 
-// initSvcViaMgmPortRoutingRules creates the svc2managementport routing table, routes and rules
-// that let's us forward service traffic to ovn-k8s-mp0 as opposed to the default route towards breth0
-func initSvcViaMgmPortRoutingRules(hostSubnets []*net.IPNet) error {
-	// create ovnkubeSvcViaMgmPortRT and service route towards ovn-k8s-mp0
-	for _, hostSubnet := range hostSubnets {
-		isIPv6 := utilnet.IsIPv6CIDR(hostSubnet)
-		gatewayIP := util.GetNodeGatewayIfAddr(hostSubnet).IP.String()
-		for _, svcCIDR := range config.Kubernetes.ServiceCIDRs {
-			if isIPv6 == utilnet.IsIPv6CIDR(svcCIDR) {
-				if stdout, stderr, err := util.RunIP("route", "replace", "table", ovnkubeSvcViaMgmPortRT, svcCIDR.String(), "via", gatewayIP, "dev", types.K8sMgmtIntfName); err != nil {
-					return fmt.Errorf("error adding routing table entry into custom routing table: %s: stdout: %s, stderr: %s, err: %v", ovnkubeSvcViaMgmPortRT, stdout, stderr, err)
-				}
-				klog.V(5).Infof("Successfully added route into custom routing table: %s", ovnkubeSvcViaMgmPortRT)
-			}
-		}
-	}
-
-	createRule := func(family string) error {
-		stdout, stderr, err := util.RunIP(family, "rule")
-		if err != nil {
-			return fmt.Errorf("error listing routing rules, stdout: %s, stderr: %s, err: %v", stdout, stderr, err)
-		}
-		if !strings.Contains(stdout, fmt.Sprintf("from all fwmark %s lookup %s", types.OVNKubeITPMark, ovnkubeSvcViaMgmPortRT)) {
-			if stdout, stderr, err := util.RunIP(family, "rule", "add", "fwmark", types.OVNKubeITPMark, "lookup", ovnkubeSvcViaMgmPortRT, "prio", "30"); err != nil {
-				return fmt.Errorf("error adding routing rule for service via management table (%s): stdout: %s, stderr: %s, err: %v", ovnkubeSvcViaMgmPortRT, stdout, stderr, err)
-			}
-		}
-		return nil
-	}
-
-	// create ip rule that will forward ovnkubeITPMark marked packets to ovnkubeITPRoutingTable
-	if config.IPv4Mode {
-		if err := createRule("-4"); err != nil {
-			return fmt.Errorf("could not add IPv4 rule: %v", err)
-		}
-	}
-	if config.IPv6Mode {
-		if err := createRule("-6"); err != nil {
-			return fmt.Errorf("could not add IPv6 rule: %v", err)
-		}
-	}
-
-	// lastly update the reverse path filtering options for ovn-k8s-mp0 interface to avoid dropping return packets
-	// NOTE: v6 doesn't have rp_filter strict mode block
-	rpFilterLooseMode := "2"
-	// TODO: Convert testing framework to mock golang module utilities. Example:
-	// result, err := sysctl.Sysctl(fmt.Sprintf("net/ipv4/conf/%s/rp_filter", types.K8sMgmtIntfName), rpFilterLooseMode)
-	stdout, stderr, err := util.RunSysctl("-w", fmt.Sprintf("net.ipv4.conf.%s.rp_filter=%s", types.K8sMgmtIntfName, rpFilterLooseMode))
-	if err != nil || stdout != fmt.Sprintf("net.ipv4.conf.%s.rp_filter = %s", types.K8sMgmtIntfName, rpFilterLooseMode) {
-		return fmt.Errorf("could not set the correct rp_filter value for interface %s: stdout: %v, stderr: %v, err: %v",
-			types.K8sMgmtIntfName, stdout, stderr, err)
-	}
-
-	return nil
-}
-
 func newGateway(
 	nodeName string,
 	subnets []*net.IPNet,
@@ -2362,12 +2303,6 @@ func newGateway(
 		}
 
 		if config.Gateway.NodeportEnable {
-			if config.OvnKubeNode.Mode == types.NodeModeFull {
-				// (TODO): Internal Traffic Policy is not supported in DPU mode
-				if err := initSvcViaMgmPortRoutingRules(subnets); err != nil {
-					return err
-				}
-			}
 			klog.Info("Creating Gateway Node Port Watcher")
 			gw.nodePortWatcher, err = newNodePortWatcher(gwBridge, gw.openflowManager, gw.nodeIPManager, watchFactory, networkManager)
 			if err != nil {